Reverse Engineering of Laser Cutter Controller RDLxxx and RDCAM Software

Scrambling Algorithm

The controller RDLxxx and the software RDCAM scramble the data when communicating. The same scrambling algorithm is also used for data files (*.rld) of RDCAM.

The scrambling is done block-wise using a block length of 1 byte. Therefore, a simple 256 entry look-up table could be used for both scrambling and descrambling. However, it is possible to describe the scrambling using elementary logic operations, which allows for faster and shorter implementation. This page describes the simple scrambling and descrambling procedures. Please note that different versions of the controller and the RDCAM software use slightly different values in the scrambling procedures.

Scrambling

StepDescriptionC Code
Input a descrambled/plain byte p (0x00 ... 0xFF) uint8_t scramble(uint8_t p) {
1 swap first and last bit uint8_t a = p & 0x7E | p >> 7 & 0x01 | p << 7 & 0x80;
2 bit-wise exclusive OR with magic number uint8_t b = a ^ MAGIC;
3 add 1 with wrap-around uint8_t s = (b + 1) & 0xFF;
Output a scrambled byte s (0x00 ... 0xFF) return s; }

Descrambling

StepDescriptionC Code
Input a scrambled byte s (0x00 ... 0xFF) uint8_t descramble(uint8_t s) {
1 subtract 1 with wrap-around uint8_t a = (s + 0xFF) & 0xFF;
2 bit-wise exclusive OR with magic number uint8_t b = a ^ MAGIC;
3 swap first and last bit uint8_t p = b & 0x7E | b >> 7 & 0x01 | b << 7 & 0x80;
Output a descrambled/plain byte p (0x00 ... 0xFF) return p; }

Magic Values

ControllerRDCAM versionMagic ValueC Code
RDL963530x38#define MAGIC 0x38
RDLC230-A60x88#define MAGIC 0x88
RDC6442G80x88#define MAGIC 0x88